Baby, I be movin' on —

10-year-old gets $10,000 bounty for finding Instagram vulnerability

Facebook pays out as part of its bug bounty program.

A 10-year-old schoolboy from Finland has become the youngest recipient of a £7,000 ($10,000) award under Facebook's bug bounty program, after he found a vulnerability that allowed anyone to delete comments on Instagram simply by planting malicious code into the photo-sharing app.

Jani—who at the tender age of 10 is considered too young to use Facebook by the company's own rules—outshines an unnamed 13-year-old cyber enthusiast, who once held the title of the youngest person to receive a bug bounty reward from the free content ad network.

In fact, the Finnish kid might well be the youngest publicly acknowledged bounty hunter—a title that appeared to have been previously held by Alex Miller from California, who received £2,000 from Mozilla back in 2010 at the age of 12.

Jani made the discovery in February, and notified Facebook of the vulnerability, which was claimed to have been fixed quickly.

“I tested whether the comments section of Instagram can handle harmful code. Turns out it can’t," Jani told the local paper Iltalehti, translated by the Guardian. "I noticed that I can delete other people’s comments from there,” the youngster told Iltalehti. “I could have deleted anyone’s—like Justin Bieber’s, for example—comments.”

Further Reading

Jani has been interested in coding and video games since the age of eight, Iltalahti reported. He dreams of a job in the information security industry, and has been learning about the trade from instructional videos on YouTube.

The ethical hacker received his bounty in March, and reportedly plans to spend the money on a football and a new bicycle. His school chums and parents are said to be quite surprised by the news.

Facebook's bug bounty program was launched in 2011, and since then a sum of £2.95 million has been paid out to more than 800 security researchers and enthusiasts. In 2015, the average payout on the program was £1,223—with people from India, Egypt, and Trinidad and Tobago receiving the highest number of rewards.

Andrii Degeler
Andrii is a contributing reporter at Ars Technica UK, covering a wide range of topics from policy to hardware and crowdfunding. He holds a master's degree in Journalism from the University of Groningen, the Netherlands. Emailandrii@proceed.to//Twitter@adegeler